Staley’s prankster reminds City nobody is safe in cyber wars

Emails are the main arteries into an organisation and we are all vulnerable, cyber security experts warn

News that the CEO of Barclays has fallen victim to an email prankster is an unfortunate reminder that it is not only sophisticated attacks that threaten the cyber security of finance’s biggest institutions, experts have warned.

Professor Richard Denham, chairman of the National Cyber Management Centre, told FN that everyone within an organisation can be caught out by such tricks, including those in C-suite roles at the very top. He said: “Boardroom members are not immune to be vulnerable to pranksters.”

News broke overnight that Jes Staley had replied to emails purporting to have come from the Barclays chairman, John McFarlane, after the bank’s annual general meeting on Wednesday.

In the brief exchanges, the CEO thanked McFarlane for his support over the recent whistleblowing scandal at the bank. The prankster later contacted the FT and shared the contents of the emails.

A spokesman for Barclays confirmed the story was accurate but declined to comment further.

Denham said he is seeing an increase in the number of board members – in particular chief executives and chairmen – being targeted. “We are all vulnerable. People have businesses to run [and banks] are fast moving,” he said.

But he added that banks must reinforce the need to be vigilant and called for more boardroom education on cyber security and data leakage issues. He said it was ironic that Barclays has fallen victim to the prank as it is one of the banks leading the fight against cyber crime. “I can’t criticise them but the timing makes it embarrassing,” he said.

A video displayed in the lifts at Barclays’ London headquarters at Canary Wharf reminds staff about the dangers of data leakage and cyber security. It warns them not to send company documents to personal email addresses and urges employees to report any possible breaches immediately to line managers. The message also reminds staff that “everyone makes mistakes”.

However, Tim Sadler, the co-founder and CEO of fintech startup Check Recipient, which uses machine learning to analyse historical data and verify illegitimate emails for large financial institutions, said this type of self-reporting system does not work.

He said banks need to have automated checks on email recipients rather than “hoping that people will report [suspicious emails]” and added that in the case of the Barlcays prankster, a system could have spotted that the sender had never interacted with Staley before and flagged this up.

Emails are main arteries into an organisation, according to Sadler, who added this was a “huge risk”. “Imagine if emails were sent including sensitive data or customer data. It’s easily done, we live on email and almost do it without thinking.”

Charles Delingpole, an ex-JP Morgan banker who set up anti-money laundering focused fintech Comply Advantage, said: “Small-scale phishing attacks, whether targeting Barclays or the [US] Democrats can we be well executed and simple to coordinate. The reputational and financial impacts are extremely material, and increasing only day by day.”

At an event in Luton last month, Nausicaa Delfas, the acting chief operating officer at the UK’s Financial Conduct Authority, said the country’s financial firms were still struggling with the basics of effective cyber security. She said at the time: “Tools to enable effective management of vulnerabilities are well established, and yet organisations either don’t use them, or don’t use them effectively.”